Less Is More: Advanced Malware Represents a Small Percentage of Enterprise Threats, But Packs Highest Impact

When it comes to both low-impact and advanced malware, the numbers are staggering. PandaLabs recently reported that nearly one-third (31.6 percent) of all PCs worldwide are infected with malware; after assessing over 100 enterprises around the world, TrendMicro concluded that 100 percent of enterprises had undetected malware; and a recent Ponemon Institute study of 130 enterprise organizations throughout the world found 11 percent of desktops, laptops or other mobile data-bearing devices had been infected by malware in any given month.

While certainly disturbing, these figures are also a bit misleading. The term “malware” represents a broad range of malicious software that affects end user devices in different ways. Most malware is considered to be “nuisance-ware,” which requires user and administrative resources to remediate and mostly leads to diminished productivity. Advanced malware, a far more dangerous form, steals sensitive data and communicates it to the attacker. Advanced malware presents a potentially devastating operational risk to the enterprise since it is specifically designed to steal and exfiltrate employee access credentials and sensitive corporate data.

The Growing Threat of Advanced Malware

Recent IBM analysis found that approximately 1 in every 500 employee endpoints is infected with sophisticated, information-stealing malware at any point in time. The IBM Security malware research team continuously analyzes information received from tens of millions of user endpoints and hundreds of organizations using IBM Security Trusteer solutions to protect their Web applications, computers and mobile devices from online threats.

Many of these users and organizations deal with highly sensitive financial transactions on a daily basis and are therefore constantly targeted by fraudsters and cyber criminals. Additionally, organizations are increasingly concerned about advanced persistent threats targeting their employee endpoints in an attempt to gain valuable business information such as intellectual property, legal documents and operational data.

2014 Ponemon Study: The Economic Impact of Advanced Persistent Threats (APTs)

This highly advanced malware exists within the broader malware infection statistics, which include a variety of malware categories. Although relatively small in number, this type of malware can have a huge impact. Because most malware detection software is designed to find standard, known malware — and because standard, known malware represents the vast majority of enterprise malware — most organizations falsely believe they are finding and eliminating virtually all malware threats. This is exactly what the advanced malware attackers want them to believe. While many organizations are satisfied with their malware detection statistics, this small sliver of advanced malware goes undetected and remains in position to cause devastating damage.

Rather than focus on the total number of PCs infected globally or within an average organization, all organizations should focus on the 1 in 500 employee devices that are infected with advanced data-stealing malware. This type of malware has highly evolved evasion capacities that render it virtually invisible to most malware detection applications. Mandiant recently reported that 94 percent of the time, enterprises only find out about a compromise due to a third-party notification. Advanced malware can compromise an employee’s device, steal sensitive data and continue to access the corporate network without being detected. It’s highly likely that it’s happening in your organization right now; you just don’t know it yet.

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…